Re: How does postgres handle non literal string values

In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a

popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using

Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.

11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote:

>Actually, we use JDBC Prepared Statements for this type of work.  You 
>put a query with '?' in as placeholders and then add in the values and 
>the library takes care of the encoding issues.  This avoids the double 
>encoding of (encode X as String, decode string and encode as SQL X on 
>the line).  There was a good article about a framework that did this in  
>JavaReport about a 18 months ago.  
>
>We have gleaned some ideas from that article to create a framework 
>around using PreparedStatements as the primary interface to the 
>database.  I'd suggest looking at them.  They really make your code much 
>more robust.
>
>Charlie
>
>
>>"')..."
>>
>>You *will* want to escape the username and password otherwise I'll be able to 
>>come along and insert any values I like into your database. I can't believe 
>>the JDBC classes don't provide 
>>
>>1. Some way to escape value strings
>>2. Some form of placeholders to deal with this
>>
>>  
>>
>
>-- 
>
>
>Charles H. Woloszynski
>
>ClearMetrix, Inc.
>115 Research Drive
>Bethlehem, PA 18015
>
>tel: 610-419-2210 x400
>fax: 240-371-3256
>web: www.clearmetrix.com
>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: Have you checked our extensive FAQ?
>
>http://www.postgresql.org/users-lounge/docs/faq.html
>